Augeas - Partial control of sshd-config - Match entries - match

In the config file /etc/ssh/sshd_config I want to determine PasswordAuthentication entries for a few specific users (or Groups) like:
Match Group xyz_admin, xyz_support
PasswordAuthentication no
Match User yvonne,yvette
PasswordAuthentication yes
I don't want to interfere with or have any control over similar but unrelated entries which may or may not be present like:
Match User xavier
X11Forwarding yes
Match Group alice
AllowTcpForwarding yes
The following Augeas expressions create the entries I need but could corrupt existing configuration entries.
set /files/etc/ssh/sshd_config/Match[1]/Condition/Group "xyz_admin,xyz_support"
set /files/etc/ssh/sshd_config/Match[1]/Settings/PasswordAuthentication "no"
set /files/etc/ssh/sshd_config/Match[2]/Condition/User "yvonne,yvette"
set /files/etc/ssh/sshd_config/Match[2]/Settings/PasswordAuthentication "yes"
Any idea how I can make these expressions more specific so they avoid messing with any existing and unrelated "Match" entries ?

You can use the Condition/* subnodes to filter out the Match nodes.
For an example, you can see how it is done in the puppet sshd_config provider (in Ruby). Note that all keys in sshd_config are case-insensitve, so you need to use regular expressions to be sure to match them regardless of their case.

Related

Whats the meaning of CHANGEME in K8s helm charts?

While checking the values of yaml files for a helm chart, one often encounters
changeme passed as a value. E.g.:
rabbitmq.conf: |-
##username and password
default_user={{.Values.rabbitmq.username}}
default_pass=CHANGEME
or:
config:
accumuloSite:
instance.secret: "changeme"
userManagement:
rootPassword: "changeme"
What is the meaning of "changeme"?
Is it just a word that needs to be replaced? If so, what will happen if it is not? A security hole, or hopefully an error?
Or is it a keyword that lets the system to replace this with a secure password? If so, how does the system know what type of password to produce?
In either case, how does the chart connect this value with other places where this value might be needed? ( e.g. if this is a password another -dependent to the first- service needs, how is the manually assigned / derived password propagated to the second service? )
(*mainly interested about helm v3 if this is important)
I'd almost always expect this to be just a placeholder that needs to be filled in. In many cases YAML can wind up having inconsistent types if a value is actually absent, so it can be useful to have some value in the chart's values.yaml, but for things like passwords there's not a "right default value" you could include.
Nothing will automatically replace these for you or warn if you're using the default values. Nothing bad will obviously happen if you do deploy with these values, but I'm sure changeme is up there with passw0rd on the short list of default passwords to try if you're actively trying to break into a system.
If you were writing your own chart, you could also test if a value is present using required and explain what's missing, and this approach might be more secure than having a well-known default password.

How to create element from API with name from appropriate sequence?

I'd like to use EA to generate Requirement elements programatically. I need to use the same sequence numbering (REQ00000xy), as with the GUI when pressing "Auto" button in "Add Element ..." dialog in order to keep´consistent numbering for Requirement elements created either from GUI or from API.
Selecting the last used sequence number from already existing Requierement elements won't help, as it don't move the sequence number up and next Requirement created from GUI .
Is there a way to get (and properly use) the sequence number via EA API or EA SQL?
The table you're looking for is t_trxtypes. This contains something like (EA's output)
Description;NumericWeight;Notes;TRX;TRX_ID;Style;
Autocount;1,00;prefix=bla;suffix=x;active=1;active_a=0;counter=126;;Class;1; ;
You're interested in the column Notes which holds as CSV list like
prefix=bla;suffix=x;active=1;active_a=0;counter=126;
This is a test setting for a class which currently has the number 126. So the next created class would be named bla126x and the entry would change to
prefix=bla;suffix=x;active=1;active_a=0;counter=127;
Just keep the columne t_trxtypes.notes in synch with your creations.
Note EA does not (seem to) allow direct DB access. However, it has a proven back door:
Repository.Execute("UPDATE t_trxtypes SET Notes='prefix=bla;suffix=x;active=1;active_a=0;counter=127;' WHERE TRX_ID=<your id>")
will do the update (replace <your id> with the appropriate key). Though Execute is undocumented it works ever since and for sure Sparx will not limit it as nowadays everyone relies on it.
As a side note: This counter is not safe. There are lots of ways (the easiest is a simple rename) to break it. You'd need some script/add-in to have regular checks your numbering is still consistent. If you rely on requirement numbering you better use an external system like, I dare to say, DOORS.
Finally, RTFM....
For elements, where sequence is defined, if you use empty name in set =AddNew() function, EA generates the sequence upon .Update(). Not earlier. So if you plan to use the generated sequence and add some description, you need to create the element with empty name first, then Update() it and after that append your description to the content of the Name field.
As easy as this.

Firestore security rules - wildcarding Collection Names?

I have a set of Collections whose names all start with ABC and I want to write a single rule that applies to all of them regardless of what follows ABC. Something like:
match /ABC*/{anyid} {
allow read, write;
}
Is this possible? In the Rules Console there are no syntax errors highlighted, but the Simulator won't allow me to access the table with:
GET /ABC123/456
Any ideas?
As far as I know it is not currently possible to match on a partial collection (or document) name. It sounds like an interesting feature request though, so I recommend filing a feature request.
In the meantime, the only thing I can think of is matching all collections, and then testing the path through resource['__name__']:
match /53829635/{document} {
match /{col}/{doc} {
allow read: if resource['__name__'][5].matches('ABC.*')
}
}
The resource['__name__'] expression returns a Path, which can be indexes as an array to get the path segments. It has a form /databases/(default)/documents/collection/document, so the subcollection is at index 5. Since that is just a string, we can use matches on it. In this case I allow reading from any subcollection whose name starts with ABC.
Update: it turns out that you can also simply access the col wildcard, instead of looking up from the path. So this would work the same:
allow read: if col.matches('ABC.*')

Moodle's usernames lowercase only

Currently Moodle doesn't allow letters other than lowercase as username. Is there a way to change this rule?
I think its because Moodle can be used with several types of databases - some databases ignore the case which is okay but some don't ignore the case - which would be confusing if 2 users had the same username but with different caps.
There might also be checks in the code where case sensitivity is important.
I wouldn't recommend it but if you really want to use uppercase usernames then search for the string id 'usernamelowercase' and remove the checks - in Moodle 2.5 these are in:
/auth/emailadmin/signup_form.php - in the validation function
/login/signup_form.php - in the validation function
/user/editadvanced_form.php - in the validation function
/user/lib.php - 2 functions for adding and updating a user

how can I add weight to keyword for thinking sphinx

I did such search,
` Comment.search "aabbb "`
and I want to get the results which contain "ab" too.;
So I did that way:
` Comment.search "aabbb ab"`
but I found the results aabbb and ab are mixed , in fact, I want to make the results which match aabbb shows before ab, in other words, have a higher priority.
I know sphinx can add weight the fields of the table. for example add 10 to comments's name, 20 to comment's content. but is it possible to add weight to the query works?
Unfortunately this is not possible with sphinx yet but you can add similar behavior on a query by adding multiple times the keyword you want to weight.
For example:
"aabbb | aabbb | ab"
The aabbb is twice more important than ab
Sphinx has no ability to weight certain search phrases, I'm afraid - so what you're trying to do is not possible.
It's also worth noting that Sphinx uses AND logic by default - if you want results that match either aabbb OR ab, you'll probably want to use the :any match mode:
Comment.search "aabbb ab", :match_mode => :any